CLOUD

Top 10 Security Stories Of 2010

As smartphones and tablets complement and battle with notebooks and PCs as routes to the connected world, as corporate users and consumers turn to both traditional Web sites and newer social networking sites to communicate, share ideas, trade business concepts, and shop, corporate IT professionals and the government organizations overseeing the nation's cybersecurity are all-too aware they must do more. And they must do it fast. Recognizing this, the federal government hopes to create a new wave

At all-too many companies, the number of insiders may have decreased in a year that saw headcounts drop and unemployment numbers steadily rise. Those still employed may have more reasons than ever to be dissatisfied -- more hours, less pay, heavier workloads and fewer, if any, perks. As a result, businesses should remain vigilant about the ongoing likelihood of having their data or network stolen or destroyed from within. A former IT director in Virginia, for example, was sentenced to 27 months and $6,700 in restitution after pleading guilty to intentionally damaging a protected computer without authorization. Ignorant and lazy users also are to blame, especially in an era of social networking and tweeting. After all, social networking sites generally have minimal password security checks, giving determined outsiders' the ability to access the company network.

Vendors are reshaping the ways in which they work. The last 12 months saw a number of large acquisitions within the security space, and the coming months will demonstrate the success -- or failure -- of those ventures. Developers and the industry at-large also must grapple with the entire concept of updating in the case of software vulnerability; without guidelines, there's a risk it could be used, or at least be perceived as being used, as a political or competitive tool, not the customer-oriented tool it was designed as. While crystal balls generally are cloudy and difficult to read, IT security prognosticators generally are accurate: The need for security will only grow. And the challenges associated with maintaining and enhancing the safety of the corporate network will only increase.

President Barack Obama's administration launched a commission tasked with determining how the nation's government institutions could improve cybersecurity. A July report discovered a dearth of "doers" and an over-abundance of "analyzers," potentially creating thousands of new cybersecurity jobs and expanded higher-educational programs. The commission also recommended the creation of improved certifications because "the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security," it said.

Data security increasingly will be baked into the cloud as businesses purchase more and more solutions as a service. This could mean new business plans for some of today's leading security developers, according to Gartner. Cloud security is predicted to become a $1.5 billion market by 2015, said Forrester analyst Jonathan Penn. In fact, although a 2009 study found half of respondents planned to avoid the cloud because of security concerns, within five years security will be one of the drivers of this technology, Forrester said.

WikiLeaks continues to bombard the Internet and annoy the United States government, diplomats, and allies with its most recent flood of classified U.S. diplomatic documents. The papers -- which the site shared with newspapers such as The New York Times, Le Monde, Der Spiegel, and The Guardian -- revealed serious concerns within the U.S. diplomatic community about the resolve and trustworthiness of several key allies, including Afghanistan and Pakistan, in the war on terror. Vocal critics in the U.S., including Republican Sarah Palin, have lambasted WikiLeaks founder Julian Assange, who is wanted by Interpol to face rape and sexual harassment charges brought against him by two women in Sweden. Meanwhile, Secretary of State Hillary Rodham Clinton has tried to smooth relations with any and all nations who may be offended by publication of the private documents.

Although these raids were unlikely to make a huge dent in actual criminal enterprises, what is promising is the degree of cross-border cooperation happening. For example, the FBI worked with state agencies and law enforcement groups in other countries to bust the Zeus financial ring. In that case, federal and state officials charged 37 individuals after an investigation that began with the New York Police Department; Scotland Yard arrested 11 people in the United Kingdom. While there were no cybercrime treaties, per se, law enforcement agencies pursued relationships and shared information, which resulted in the successful pursuit and capture of many cyber criminals around the world, with the exception of Russia and certain former Soviet lands.

Responsible disclosure continues to generate debate, as security and compliance professionals ponder their obligation to notify vendors, the public, or both. The topic came to a boiling point in June when Google security engineer Tavis Ormandy told Microsoft he had discovered a security vulnerability in Windows XP; Microsoft acknowledged receipt of the report. Five days later, Ormandy posted details of the vulnerability and proof-of-concept code to the Full Disclosure list, a move he made due to the severity of the vulnerability, he said. "But five days notice for Microsoft to fix the problem hardly seems like a reasonable amount of time to me," said Graham Cluley, senior technology consultant at Sophos, in a company blog.

In July, Google asked the computer security community to reconsider the meaning of responsible disclosure and to adopt a more rigorous approach in order to respond more quickly to vulnerabilities. "We've seen an increase in vendors invoking the principles of 'responsible' disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers," the Google security team said.

Today's cyber attacks are not a macho game or virtual vandalism. Be it malware or targeted, an attack these days generally has the pursuit of money -- and the power, luxuries, and trappings it provides -- at its core. Attacks such as Aurora, which began in 2009 but dominated the news in early 2010, pursued intellectual property. Other malware attacks seek money, proprietary information such as credit cards and, in the United States, social security numbers, and confidential corporate information and trade secrets. For many hackers, creating havoc-inducing code is a big-number business. Websites listing the results of their ill-gotten gains flourish, and governments have a challenge tracking down these criminals who frequently operate offshore using technologies that make them difficult to pin-down.

Like a sci-fi movie come to life, the Stuxnet malware infiltrated computer systems around the world and now at least one expert believes its sole purpose is to bring down Iran's Bushehr nuclear power plant, located about 750 miles away from Tehran and the government of Mahmoud Ahmadinejad. In November, Symantec said the designer must have had significant financial backing to create the necessary test environment to mirror their target and to conduct reconnaissance. Since it was detected in June, international security experts have been scrutinizing the worm, an unusually complex creation with more than 4,000 functions -- comparable to some commercial software. "Each feature of Stuxnet was implemented for a specific reason," said Symantec.

It was a year of divorces, reconciliations, and temporary separations, as technology partnerships evolved with the end of the decade. Notably, Apple dumped Flash, saying it no longer will include Flash updates with its operating system. The creator of the popular i-family of portable devices also bid farewell to Java support, passing it along to an open source group instead. These moves by trendsetter Apple -- which created or kick-started consumers' love affair with smartphones and tablets -- could have a broader impact. Then again, Apple does get jeers for the time it takes the company to adopt other developers' security enhancements into its own system updates. But these steps by Apple could be the push necessary to spur adoption of HTML 5 or alternate technologies that don't include the frequent flaws associated with Flash or the occasional headaches seen with Java.

Security firms dipped into their bank accounts and went on shopping sprees over the past 12 months or so, looking to expand their offerings, enter new markets, or shore-up their position. Within only six months, a handful of developers spent more than $10 billion to purchase other vendors: Symantec picked up VeriSign, PGP, and GuardianEdge; IBM bought BigFix, OpenPages, and PSS Systems; Hewlett-Packard purchased Fortify and ArcSight, and CA acquired Arcot. In August, giant Intel surprised many industry experts when it bought security software developer McAfee for about $7.68 billion, generating buzz about the possibility of a suitor for arch-rival Symantec. Not to be left out, in late NovemberTrend Micro announced its plans to acquire Mobile Armor.